The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.
Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. Built on the .NET Framework, the tool is available for all current versions of Windows, and it has been included by default starting with Windows 7.
Experts believe cybercriminals are increasingly relying on PowerShell because this is not a common technique and IT administrators who are usually on the lookout for malicious binaries might overlook threats that abuse the scripting tool.
In late March 2014, Trend Micro came across a new malware family, which they dubbed CRIGENT (Power Worm). Distributed as Word or Excel documents, CRIGENT relies on PowerShell to retrieve system information from the infected device and infect other Word and Excel files stored on the affected computer.
In May, Trend Micro researchers identified a new attack leveraging PowerShell. The threat had been distributed with the aid of emails purporting to come from Duo Wei Times, a US-based Chinese newspaper.
In this case, PowerShell has been used to download files and bypass execution policies. First, potential victims are served a shortcut (.lnk) file, detected by Trend Micro as LNK_PRESHIN.JTT, containing PowerShell commands in its properties. When executed, LNK_PRESHIN.JTT downloads another PowerShell scripting file, TROJ_PRESHIN.JTT, which in turn downloads and executed the final payload, BKDR_PRESHIN.JTT.
In a blog post published on Sunday, Trend Micro detailed a piece of ransomware, TROJ_POSHCODER.A, which uses PowerShell to encrypt files. POSHCODER, which appears to target Internet users in the United States, uses AES to encrypt the files, and RSA 4096 bit encryption to exchange the AES key.
This is not the first time experts have indentified a piece of ransomware using PowerShell. Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
